It’s common practice to limit network traffic to sensitive resources like
databases as an added layer of security on top of authentication methods like a
username and password. By permitting access only from a set of whitelisted IP
addresses, attackers are unable to even attempt to log in unless they have
access to one of the approved computers.

To enable users to impose this kind of network rule while permitting access
from SherlockML, we provide an API which returns the list of IP addresses where
your SherlockML user servers run, at
https://sherlockml.com/api/cluster/ip-addresses.

This API returns a JSON object containing the current IP addresses of the
cluster, formatted as follows:

{"ipAddresses":["101.2.3.4","105.6.7.8"]}

Warning

The list of IP addresses will change as necessary software updates are
applied or when the SherlockML compute cluster is scaled in size. You
should therefore not assume that the IPs do not change, but rather set up a
periodic task that updates your relevant network rules.

You can then write some code that uses a relevant API to update network rules.
For example, on Amazon Web Services (AWS), you can use boto3 to update AWS
security group rules:

importboto3EC2=boto3.resource('ec2')security_group=EC2.SecurityGroup('your-security-group-id')forip_addressinsherlockml_ips:cidr='{}/32'.format(ip_address)security_group.authorize_ingress(IpProtocol='tcp',FromPort=5432,# For accessing a PostgreSQL databaseToPort=5432,# For accessing a PostgreSQL databaseCidrIp=cidr)

You should be sure to implement logic to remove access rules from IPs that are
no longer in the list retrieved from SherlockML.